[midPoint] User activation by HR data with manual override possibility

Aivo Kuhlberg aivo.kuhlberg at rmit.ee
Wed Jan 18 13:23:05 CET 2017


Hi Gustav
I set up now MidPoint 3.5 test environment and did some testing with your scripts. They work much better in 3.5 but I still noticed wrong behavior in certain situations:
For testing purpose I added also scriptedSQL resource to my test environment to see if the resource status is as it should be when user's administrativeStatus is changing.

I played with Override Administrative status (OAS) and Administrative status (AS) values. Here are 2 scenarios where the user icon did not indicate the correct state and at the same time scriptedSQL resource was not enabled/disabeled to correct state:

Initial values for all tests: Override Administrative status (OAS) = Administrative status (AS) = Undefined


Test1:

    Step 1: OAS is set to Disabled -> Result: user icon is normal (Not OK), scriptedSQL resource is not disabled (Not OK)
    Step 2: OAS is set to Undefined -> Result: user icon is not grayed (OK), scriptedSQL resource is not disabled (OK)

Test2:

    Step 1: AS is set to Disabled -> Result: user icon is grayed (OK), scriptedSQL resource is disabled (OK)
    Step 2: OAS is set to Enabled -> Result: user icon stays grayed (Not OK), scriptedSQL resource stays disabled (Not OK)
    Step 3: OAS is set to Undefined -> Result: user icon stays gray (Not OK), scriptedSQL resource stays disabled (Not OK)

Regards,
Aivo



Aivo Kuhlberg        Telefon: (+372) 671 3984
Rahandusministeeriumi Infotehnoloogiakeskus
________________________________
Saatja: Pálos Gustáv <gustav.palos at evolveum.com>
Saadetud: 16. jaanuar 2017 16:35
Adressaat: Aivo Kuhlberg
Koopia: midPoint General Discussion
Teema: Re: [midPoint] User activation by HR data with manual override possibility

do you use midPoing 3.5?
We has a bug with this problem in older versions...


2017-01-16 15:33 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee<mailto:aivo.kuhlberg at rmit.ee>>:

Hi Gustav,
import namespace statement solved the problem. Now the attribute is loaded but I am facing next problem - I see in GUI attribute overrideAdministrativeStatus and I can change its values but it does not show the correct values in user GUI. When I look at the database then I see that the value has changed (eg 'disabled') but in GUI it shows always the value "Undefined":


[cid:de826e72-ca2d-4ef3-bd33-7d8d25163e3c]


I tried to create manually the lookup table for that attribute and link it in user template with valueEnumerationRef but seems that it does not work this way either.


Best regards,

Aivo

________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> nimelPálos Gustáv <gustav.palos at evolveum.com<mailto:gustav.palos at evolveum.com>>
Saadetud: 16. jaanuar 2017 11:42

Adressaat: midPoint General Discussion
Teema: Re: [midPoint] User activation by HR data with manual override possibility

Hi,

please check your schema if has this at the beginning:

<xsd:schema elementFormDefault="qualified"
            targetNamespace="http://evolveum.com/evolutiongaming"
            xmlns:tns="http://evolveum.com/evolutiongaming"
            xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
            xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
...

Best regards,

Gustav

2017-01-16 10:18 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee<mailto:aivo.kuhlberg at rmit.ee>>:

Hi Gustav,

That is very compact and elegant solution. Unfortunately when I tried to implement that by adding first parameter overrideAdministrativeStatus to userExtension.xsd file I ran into the schema extension error:


2017-01-16 11:09:06,737 [] [localhost-startStop-1] ERROR (com.evolveum.midpoint.prism.schema.SchemaHandler): Error occured during schema parsing: [Error] on line 120 at file:///home/mpdev/SystemId, null undefined simple or complex type 'c:ActivationStatusType'
2017-01-16 11:09:06,738 [] [localhost-startStop-1] WARN (org.springframework.web.context.support.XmlWebApplicationContext): Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'repositoryFactory': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private com.evolveum.midpoint.prism.Pr<http://com.evolveum.midpoint.prism.Pr>ismContext com.evolveum.midpoint.init.RepositoryFactory.prismContext; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'prismContext' defined in class path resource [ctx-configuration.xml]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.evolveum.midpoint.prism.PrismContext]: Factory method 'createInitializedPrismContext' threw exception; nested exception is com.evolveum.midpoint.util.exception.SchemaException: XML error during XSD schema parsing: undefined simple or complex type 'c:ActivationStatusType'(embedded exception null) in file /home/mpdev/midpoint-data/schema/userExtension.xsd
2017-01-16 11:09:06,760 [] [localhost-startStop-1] ERROR (org.springframework.web.context.ContextLoader): Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'repositoryFactory': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private com.evolveum.midpoint.prism.Pr<http://com.evolveum.midpoint.prism.Pr>ismContext com.evolveum.midpoint.init.RepositoryFactory.prismContext; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'prismContext' defined in class path resource [ctx-configuration.xml]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.evolveum.midpoint.prism.PrismContext]: Factory method 'createInitializedPrismContext' threw exception; nested exception is com.evolveum.midpoint.util.exception.SchemaException: XML error during XSD schema parsing: undefined simple or complex type 'c:ActivationStatusType'(embedded exception null) in file /home/mpdev/midpoint-data/schema/userExtension.xsd


I think the parameter type="c:ActivationStatusType" is causing this error. I tried to change it to type="xsd:ActivationStatusType" but this did not help either. Do you have any ideas how to fix that?


Best regards,

Aivo

________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> nimelPálos Gustáv <gustav.palos at evolveum.com<mailto:gustav.palos at evolveum.com>>
Saadetud: 16. jaanuar 2017 9:41
Adressaat: midPoint General Discussion
Teema: Re: [midPoint] User activation by HR data with manual override possibility

Hi Aivo,

I created in one project extension/overrideAdministrativeStatus user schema extension and when it is enabled or disabled, I use this value over object template user, elsewhere keep as is from activation/administrativeStatus.

            <xsd:element name="overrideAdministrativeStatus" type="c:ActivationStatusType" minOccurs="0">
                <xsd:annotation>
                    <xsd:appinfo>
                        <a:indexed>true</a:indexed>
                        <a:displayName>Override Administrative status</a:displayName>
                        <a:displayOrder>900</a:displayOrder>
                    </xsd:appinfo>
                    <xsd:documentation>
                        If this is filled, override administrative status from HR calculated from status.
                        If you use this, please write to description a reason, why you do this (for example: She works on maternity leave).
                    </xsd:documentation>
                </xsd:annotation>
            </xsd:element>

<mapping>
<name>Override administrative status if needed</name>
<strength>strong</strength>
<source>
<path>$user/activation/administrativeStatus</path>
</source>
<source>
<path>$user/extension/overrideAdministrativeStatus</path>
</source>
<expression>
<script>
<code>
                 if (overrideAdministrativeStatus!=null) {
                 return overrideAdministrativeStatus;
                 }
                    return administrativeStatus;
                </code>
</script>
</expression>
<target> <!-- need both administrativeStatus & effectiveStatus also -->
<path>$user/activation/administrativeStatus</path>
</target>
<condition>
<script>
<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
<code>overrideAdministrativeStatus !=null</code>
</script>
</condition>
</mapping>


Best regards,

Gustav

2017-01-16 8:32 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee<mailto:aivo.kuhlberg at rmit.ee>>:

Hi,

I want to implement midPoint user activation mechanism based on HR resource user account field value with manual GUI override possibility. When the HR resource field "status" has value "WRS" (work relationship stopped) then the midPoint user should be disabled, otherwise user should be enabled. However, I need also possibility to manually override current midPoint user activation value.
I tried implemented inbound activation for HR resource (like https://github.com/Evolveum/midpoint/blob/master/samples/demo/hr.xml) and it works - When I set HR user status to value "WRS" then midPoint user's administrative status is changed to state Disabled. I can also manually enable disabled user if needed in administration GUI. But the problem here is that both HR resource and admin gui have the same access to user's administrativeStatus value - I can change the user status in GUI but whenever the HR user data is changed then it changes also administrativeStatus back to value depanding on status field. Any ideas, how should I implement disabling/enabling of user based on HR data with manual user activation override possibility?
Thanks,
Aivo Kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




--
s pozdravom

Gustáv Pálos



--
Gustáv Pálos
Identity Engineer
evolveum.com<http://evolveum.com/>

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




--
Gustáv Pálos
Identity Engineer
evolveum.com<http://evolveum.com/>

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.



--
Gustáv Pálos
Identity Engineer
evolveum.com<http://evolveum.com/>

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170118/5aa0e864/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OAS_values.png
Type: image/png
Size: 3637 bytes
Desc: OAS_values.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170118/5aa0e864/attachment.png>


More information about the midPoint mailing list